Thursday, September 10, 2009

MS Windows 2000 SP4 and XP Owners beware, "No patch for you" for MS09-048

| Brett D. Arion |

Microsoft Co. Ltd.Image via Wikipedia

Microsoft this week started what will be one of the largest debated issues they will have in some time. Especially given that organizations that pay maintenance on their software are supposed to get patches for that software as long as it is supported by Microsoft. When Microsoft released MS09-048 to address certain D0S/Remote Code Execution issues, it did not include patches for Windows 2000 SP4 and Windows XP operating systems, citing this in the FAQ for the update:

"If Microsoft Windows 2000 Service Pack 4 is listed as an affected product, why is Microsoft not issuing an update for it?

The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component. The product of such a rearchitecture effort would be sufficiently incompatible with Microsoft Windows 2000 Service Pack 4 that there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. Microsoft recommends that customers running Microsoft Windows 2000 Service Pack 4 use a firewall to block access to the affected ports and limit the attack surface from untrusted networks.

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Does this update completely remove the vulnerabilities, TCP/IP Zero Window Size Vulnerability - CVE-2008-4609 and TCP/IP Orphaned Connections Vulnerability - CVE-2009-1926?
Since the denial of service vulnerabilities, CVE-2008-4609 and CVE-2009-1926, affect the TCP/IP protocol itself, the updates for Windows Server 2003 and Windows Server 2008 do not completely remove the vulnerabilities; the updates merely provide more resilience to sustain operations during a flooding attack. Also, these denial of service vulnerabilities can be further mitigated through the use of NAT and reverse proxy servers, further lowering the severity of this issue on client workstations."

Besides the fact that they are not patching the vulnerability for these supported products is one thing, but the following statement is just comical:

"The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. Microsoft recommends that customers running Microsoft Windows 2000 Service Pack 4 use a firewall to block access to the affected ports and limit the attack surface from untrusted networks.

Is this not the case for any denial of service attack? The systems always recover once the flood attack ceases. Is it not best practices anyways to have a firewall limiting the attack surface from untrusted networks? It is also hard to believe that this can be "Critical" for newer operating systems, but just "Low" or "Important" for older Operating Systems. Is this not backwards?

Ok, so they are not patching the issue, so maybe we should consider updating our servers to Windows 2003 or Windows 2008. Wait, they say they still do not fix the issues with those products either:

"Since the denial of service vulnerabilities, CVE-2008-4609 and CVE-2009-1926, affect the TCP/IP protocol itself, the updates for Windows Server 2003 and Windows Server 2008 do not completely remove the vulnerabilities; the updates merely provide more resilience to sustain operations during a flooding attack."

So an issue from 2008 is included here, but it really is not fixed, just made more resilient......

For some reason, I have a sneaking suspicion that this is the first of many to come until these Operating Systems go into the Extended Support phase. Maybe Customers should ask for some of thier maintenance costs to be refunded as no patch is being created according to support contracts. It will be interesting to see if any breach of contract issues, or other litigation in the event of a breach or exploit of these vulnerabilities occurs.


Disclaimer: The opinions expressed in this article are those of the author and do not represent the views of Hackers Center or its affiliates.

Reblog this post [with Zemanta]

Free Security Magazines